What is Checkmarx SCA?

Checkmarx SCA is the Software Composition Analysis engine inside the Checkmarx One platform. It scans open-source dependencies in package manifests across npm, PyPI, Maven Central, NuGet, Go, Cargo, Gem, Composer, and more, surfaces vulnerabilities and license risk across the dependency tree, and applies Exploitable Path Analysis (EPA) to demote CVEs not reachable from the customer's code. Programs adopt SCA through Merito with the implementation engagement attached.

What is Exploitable Path Analysis (EPA)?

EPA is Checkmarx's reachability-aware scoring on SCA findings. It cross-checks each CVE in a dependency against the customer's actual code paths (using Checkmarx SAST flow paths) and demotes CVEs in unreachable code. On portfolios with deep dependency trees, EPA reduces backlog volume by demoting unreachable findings that would otherwise dilute the signal. Merito turns EPA on by default during implementation.

How is Checkmarx SCA different from Snyk SCA, Black Duck, or Sonatype Lifecycle?

Snyk SCA is developer-experience-led and IDE-first; Black Duck is the legacy SCA market leader with deep license intelligence; Sonatype Lifecycle pairs with Nexus Repository for proxy-time enforcement. Checkmarx SCA differentiates on EPA reachability accuracy, cross-product correlation with SAST and DAST inside Checkmarx One, and consolidation with Triage and Remediation. Pick Snyk for developer experience, Black Duck for deep license intelligence, Sonatype for repo-time enforcement, Checkmarx for reachability and consolidation.

Does Checkmarx SCA generate SBOMs?

Yes, in CycloneDX and SPDX formats. Programs subject to EO 14028, NIST SSDF, or sector-specific SBOM mandates use the output as audit evidence. Merito wires SBOM generation into the CI/CD pipeline so SBOMs are emitted as build artifacts rather than generated ad hoc.

How does license policy work in Checkmarx SCA?

License policy is per-application or per-business-unit. Internal-only tooling can use copyleft licenses (GPL, AGPL) where the obligations are acceptable, while customer-facing SaaS gates new copyleft dependencies. Merito delivers license-policy design as part of the implementation engagement so blanket bans do not block legitimate internal use.

How is Checkmarx SCA licensed?

Checkmarx SCA is part of the Checkmarx One platform. Pricing is by application count, repository count, scan volume, and bundle (Essentials, Advanced, or Enterprise). License acquisition flows through Merito; implementation, EPA tuning, license-policy design, and CI/CD integration scope under a separate program engagement.

How long does a Checkmarx SCA implementation take?

First repository onboarded and scanning in days. PR-time gates and EPA tuning live in two to four weeks. Enterprise rollout across the portfolio typically runs three to six months. Merito treats EPA configuration and license-policy design as non-negotiable in the first month.

What services does Merito provide for Checkmarx SCA?

Tenant setup, EPA configuration, license-policy design, suppression workflow design, CI/CD integration, SBOM-generation wiring, MAPS Assessment for AppSec program scoping, Premium Support, Managed Services for ongoing run, training for AppSec architects and developers, and staff augmentation. The license is sold and scoped as a separate engagement from the implementation.

Checkmarx • Application security

Checkmarx SCA

Checkmarx SCA finds open-source vulnerabilities and license risk across the dependency tree, then applies Exploitable Path Analysis (EPA) to demote CVEs that are not actually reachable from the customer's code so the AppSec backlog reflects exploitable risk instead of the full CVE list.

A Merito Checkmarx SCA engagement turns on EPA reachability by default, tunes per-application license policy, and wires PR-time gates so SCA stops being a noise generator and becomes a triage queue AppSec can actually work.

Get Checkmarx SCA pricing Talk to a Merito Checkmarx SCA specialist

Best for: AppSec leaders running SCA programs across heterogeneous dependency trees, AppSec architects defining license policy and suppression discipline, Engineering leaders integrating SCA into PR-time gates
Hosting: SaaS
Time to value: First repository onboarded and scanning in days. PR-time gates and EPA tuning live in two to four weeks. Enterprise rollout across portfolio typically runs three to six months.
Security posture: GDPR, HIPAA-aligned design, SAML SSO
Last reviewed: 2026-04-26

What it is

Checkmarx SCA in the enterprise stack

Checkmarx SCA is the Software Composition Analysis engine inside Checkmarx One. It scans open-source dependencies in package manifests (package.json, pom.xml, requirements.txt, go.mod, Cargo.toml, Gemfile, composer.json, build.gradle, *.csproj) and the resolved transitive graph, then matches against the CVE database, license catalog, and known-bad indicators. Same shape as Snyk SCA, Black Duck, or Sonatype Lifecycle, with the differentiator being how Checkmarx reduces the noise.

Exploitable Path Analysis (EPA) is the load-bearing capability. A traditional SCA tool reports every CVE in every dependency in the tree. Most of those CVEs sit in code paths that the application never calls. EPA performs reachability analysis on the customer's actual code (cross-checked with Checkmarx SAST) and downgrades CVEs in unreachable code to a lower severity. On portfolios with deep dependency trees, EPA reduces the AppSec backlog by a meaningful margin because findings reflect what an attacker can exploit instead of every theoretically vulnerable line.

License compliance is the other half of SCA. Programs that ship code with copyleft licenses (GPL, AGPL) into proprietary products create legal exposure. Checkmarx SCA evaluates every dependency against a configurable license policy and flags forbidden licenses before they reach production. License policy is per-application or per-business-unit so internal-only tooling does not get audited like a customer-facing SaaS product.

What stalls SCA adoption is alert fatigue. Programs that take vendor-default policies, ignore EPA, and route every CVE finding to the developer queue burn out the engineering organization and the AppSec team simultaneously. Merito's engagement starts with EPA on by default, license-policy tuning, suppression workflow with audit trail, and developer-time integration that surfaces findings during PR review rather than as a separate dashboard. Without that, SCA generates more noise than it removes.

Ideal use cases

Reachability-aware SCA on heterogeneous codebases with deep dependency trees
License compliance enforcement (GPL, AGPL, copyleft policy gates)
PR-time SCA gates in Jenkins, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket
SBOM generation for SBOM-required regulated programs
SCA consolidation off Snyk, Black Duck, or Sonatype Lifecycle onto Checkmarx One

What it is best at

Where Checkmarx SCA earns its seat

Exploitable Path Analysis (EPA) downgrades unreachable CVEs

Cross-checks SCA findings against actual code paths from Checkmarx SAST. CVEs in unreachable code drop in severity. On large dependency trees this is the difference between a paralyzing backlog and one AppSec can work.

Broad coverage across the package ecosystem

npm, PyPI, Maven Central, Maven, NuGet, Go modules, Cargo, Gem, Composer, and more in one engine. Programs stop stitching together specialist tools per ecosystem.

License policy with per-application granularity

Different license rules for internal tooling versus customer-facing SaaS. Programs avoid blanket copyleft bans that block legitimate internal use of GPL libraries.

Cross-product correlation with SAST, DAST, and API Security

SCA findings link back to the SAST flow path that calls the dependency and the DAST runtime confirmation. Triage and Remediation clusters SCA findings with related SAST findings on root cause.

SBOM generation in CycloneDX and SPDX

Generates SBOMs in industry-standard formats for regulated programs (federal, healthcare, financial services) that require SBOM-as-evidence under EO 14028 or sector-specific mandates.

Core capabilities

Checkmarx SCA capabilities, grouped by outcome

Dependency analysis and reachability

Where SCA earns its keep against the noise of a flat CVE list.

Direct and transitive dependency scanning
Resolves the full dependency graph and surfaces vulnerabilities across direct and transitive dependencies.
Exploitable Path Analysis (EPA)
Reachability-aware scoring. CVEs in code paths that are not actually called from production entry points get demoted, so the backlog reflects what an attacker can reach.
Ecosystem coverage
npm, PyPI, Maven Central, Maven, NuGet, Go modules, Cargo, Gem, Composer, and more in one engine.
Container and IaC dependency awareness
Crosses with Container Security and IaC Security to surface dependencies inside images and infrastructure templates.

License compliance

Avoiding legal exposure on copyleft and forbidden licenses without blanket bans.

Per-application license policy
Different license rules for internal tooling versus customer-facing SaaS. Avoids blanket copyleft bans that block legitimate internal use.
License obligation tracking
Surfaces attribution requirements, source-disclosure obligations, and license-compatibility issues across the dependency graph.
Forbidden-license gates
Block-on-introduce policy stops new copyleft dependencies from entering the build while triage works the legacy backlog.

SBOM and reporting

Audit-ready evidence for regulated and federal programs.

CycloneDX and SPDX SBOM generation
SBOM output in industry-standard formats for compliance with EO 14028, NIST SSDF, and sector-specific mandates.
Cross-product correlation
SCA findings cross-link to SAST flow paths, DAST runtime confirmations, and Container Security findings.
Triage and Remediation clustering
Related SCA findings cluster with SAST and runtime findings on root cause for single-fix remediation.
Compliance reporting
Audit-ready evidence for PCI DSS, HIPAA, SOC 2, ISO 27001, and FedRAMP attestations.

Where it fits in the stack

How Checkmarx SCA connects to the rest of your landscape

Checkmarx One platform (native)

Native

Checkmarx SASTEPA reachability analysis cross-checks SCA findings against Checkmarx SAST flow paths.
Checkmarx Container SecuritySurfaces dependencies inside container images and links them to base SCA findings.
Checkmarx Malicious Package ProtectionSourcing-time blocking of typosquatting and dependency-confusion attacks complements SCA's detection-time scanning.
Checkmarx Triage and RemediationSCA findings cluster with SAST findings on root cause for single-fix remediation.

CI/CD and developer tooling (certified)

Certified

Jenkins, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket PipelinesPR-time and build-gate scanning with native plugins.
VS Code, IntelliJ, EclipseIDE plugins surface SCA findings and EPA reachability data during authoring.
Artifactory, Nexus Repository, ProGetRepository-level dependency analysis at the artifact-store boundary.
Jira, Azure Boards, ServiceNowFindings flow into ticketing as work items with bi-directional status sync.

Custom integrations

Custom

Internal CI/CD platformsREST and webhook integration for non-standard pipelines and bespoke build orchestrators.
GRC and license-management platformsLicense policy and SBOM data flowed into internal GRC and OSS-license-management systems.
Custom SBOM and compliance reportingCustomer-specific SBOM exports and compliance evidence for federal, healthcare, and financial-services audits.

Deployment and implementation

How it rolls out

Hosting: SaaS (North America, EMEA, APJ)
Implementation complexity: Moderate
Typical time to value: First repository onboarded and scanning in days. PR-time gates and EPA tuning live in two to four weeks. Enterprise rollout across portfolio typically runs three to six months.
Prerequisites: Repository inventory and scanning priority list
CI/CD platform decision (Jenkins, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket)
Named AppSec policy owner
License-policy framework drafted or in progress
Triage and findings-routing operating model
What Merito usually handles: Checkmarx SCA runs as Checkmarx One SaaS. Merito handles tenant setup, EPA configuration, license-policy tuning, CI/CD integration, and the operating-model design that decides who owns SCA triage.

Licensing and packaging

How it is bought

Model: Subscription
What to expect: Checkmarx SCA is part of the Checkmarx One platform and licensed by application count, repository count, scan volume, and bundle tier. Pricing depends on developer count, AI-agent seat count, and bundle (Essentials, Advanced, or Enterprise). Merito holds the partner relationship; the AppSec program is separately scoped.
Editions and modules: Checkmarx One Essentials
SCA plus baseline SAST and Container Security in a single bundle.
Best for: Programs starting consolidation onto Checkmarx One.
Checkmarx One Advanced
Adds DAST, API Security, IaC Security, Malicious Package Protection, and Repository Health.
Best for: Mature AppSec programs running multiple scan types.
Checkmarx One Enterprise
Adds AI agents (Developer Assist, Triage and Remediation), AI Supply Chain Security, Software Supply Chain Security, and premium SLAs.
Best for: Enterprise programs with AI-augmented triage and supply-chain governance in scope.
Common expansion areas: Add Checkmarx Malicious Package Protection for sourcing-time blocking
Add Checkmarx Repository Health for sourcing-time scoring of OSS projects
Layer Triage and Remediation to cluster SCA findings with SAST and runtime findings
Add Software Supply Chain Security for SLSA-aligned build provenance and signing
Add AI Supply Chain Security for AI/ML SBOM and model dependency risk

Merito services

How Merito helps you win with Checkmarx SCA

Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.

Checkmarx SCA Implementation

Tenant setup, EPA configuration, license-policy tuning, CI/CD integration, and SBOM generation wiring.

Explore service 02

MAPS Assessment

AppSec program scoping for Checkmarx SCA adoption alongside Snyk SCA, Black Duck, and Sonatype Lifecycle.

Explore service 03

DevOps Consulting

PR-time SCA gates and build-gate policy in Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and Bitbucket.

Explore service 04

CRAFT Enablement

Developer enablement and AppSec champion programs around SCA findings and license discipline.

Explore service 05

Premium Support

Named engineer, priority SLAs, and release-time coverage for Checkmarx SCA.

Explore service 06

Managed Services

Long-term run support including EPA tuning, license-policy maintenance, and SBOM-generation operations.

Explore service 07

Training and Enablement

Role-based training for AppSec architects, security engineers, and developers consuming SCA output.

Explore service 08

Staff Augmentation

Merito-placed AppSec engineers and Checkmarx specialists embedded on long-running programs.

Explore service

Checkmarx SCA licensing

License Checkmarx SCA. Turn on EPA reachability. Same engagement.

Checkmarx SCA pricing arrives with EPA configuration, license-policy design, suppression workflow, and PR-time CI/CD integration that drop a 30,000-finding flat list into a triage queue AppSec can actually work.

Request Checkmarx SCA pricing

Merito point of view

Reachability is the only honest CVE math.

Merito has audited SCA programs that ran clean reports against vendor defaults, generated 30,000 open CVE findings across the portfolio, and shipped exactly zero remediations because the engineering organization correctly recognized the backlog as noise. The fix is reachability. Checkmarx EPA cross-checks SCA findings against SAST flow paths and demotes CVEs in code paths that are not actually called from production. On real portfolios that turns a flat 30,000-finding list into a several-thousand-finding queue AppSec can actually work.

Merito recommends Checkmarx SCA specifically when reachability matters, when license discipline needs per-application granularity, and when consolidation onto Checkmarx One pays back the integration cost. For programs already running mature Snyk SCA pipelines with reachability turned on, replacing them with Checkmarx is a 12-month project that often does not deliver enough delta to justify the disruption. Merito runs that decision honestly.

The pairing with Malicious Package Protection and Repository Health is the load-bearing move on supply-chain governance. SCA finds risk in dependencies that are already in the build; Malicious Package Protection blocks supply-chain attacks at registry-fetch time; Repository Health scores the OSS project hygiene before the dependency enters the tree. Programs running SCA without sourcing-time controls are doing periodic detection rather than active prevention.

What buyers usually underestimate

Running Checkmarx SCA without enabling EPA, generating a flat CVE list that buries reachable findings.
Applying blanket copyleft bans across the portfolio instead of per-application license policy.
Routing SCA findings to a developer queue without PR-time integration, so findings sit in a dashboard nobody reads.
Migrating off mature Snyk SCA pipelines without an honest assessment of delta value.
Adopting SCA without sourcing-time controls (Malicious Package Protection, Repository Health), so the program does detection rather than prevention.

Related from Merito

Continue exploring Checkmarx SCA on Merito

Checkmarx SCA FAQs

Consultation request

Talk to Merito about Checkmarx SCA

Share your dependency-tree shape, current SCA tool if any, and AppSec program posture. A Merito Checkmarx specialist follows up within one business day.

Reachability first

EPA cuts backlog noise

Exploitable Path Analysis demotes CVEs in unreachable code. The 30,000-finding backlog drops to a working queue.

License policy

Per-application granularity

Different rules for internal tooling and customer-facing SaaS. Blanket copyleft bans block legitimate internal use.

Next step

Turn on reachability before the backlog hits 30,000 CVEs.

A Merito Checkmarx SCA engagement starts with EPA configuration and license-policy design. Default-rule scans against vendor settings generate noise that erodes developer trust quickly.

Book a Checkmarx SCA consultation

Checkmarx SCA

How it rolls out

Hosting

SaaS (North America, EMEA, APJ)

Implementation complexity

Moderate

Typical time to value

First repository onboarded and scanning in days. PR-time gates and EPA tuning live in two to four weeks. Enterprise rollout across portfolio typically runs three to six months.

Prerequisites

Repository inventory and scanning priority list
CI/CD platform decision (Jenkins, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket)
Named AppSec policy owner
License-policy framework drafted or in progress
Triage and findings-routing operating model

What Merito usually handles

Checkmarx SCA runs as Checkmarx One SaaS. Merito handles tenant setup, EPA configuration, license-policy tuning, CI/CD integration, and the operating-model design that decides who owns SCA triage.

How it is bought

Model

Subscription

What to expect

Checkmarx SCA is part of the Checkmarx One platform and licensed by application count, repository count, scan volume, and bundle tier. Pricing depends on developer count, AI-agent seat count, and bundle (Essentials, Advanced, or Enterprise). Merito holds the partner relationship; the AppSec program is separately scoped.

Editions and modules

Checkmarx One Essentials
SCA plus baseline SAST and Container Security in a single bundle.
Best for: Programs starting consolidation onto Checkmarx One.
Checkmarx One Advanced
Adds DAST, API Security, IaC Security, Malicious Package Protection, and Repository Health.
Best for: Mature AppSec programs running multiple scan types.
Checkmarx One Enterprise
Adds AI agents (Developer Assist, Triage and Remediation), AI Supply Chain Security, Software Supply Chain Security, and premium SLAs.
Best for: Enterprise programs with AI-augmented triage and supply-chain governance in scope.

Common expansion areas

Add Checkmarx Malicious Package Protection for sourcing-time blocking
Add Checkmarx Repository Health for sourcing-time scoring of OSS projects
Layer Triage and Remediation to cluster SCA findings with SAST and runtime findings
Add Software Supply Chain Security for SLSA-aligned build provenance and signing
Add AI Supply Chain Security for AI/ML SBOM and model dependency risk

Talk to Merito about Checkmarx SCA

Share your dependency-tree shape, current SCA tool if any, and AppSec program posture. A Merito Checkmarx specialist follows up within one business day.

Reachability first

EPA cuts backlog noise

Exploitable Path Analysis demotes CVEs in unreachable code. The 30,000-finding backlog drops to a working queue.

License policy

Per-application granularity

Different rules for internal tooling and customer-facing SaaS. Blanket copyleft bans block legitimate internal use.